ComponentSpace

Forums



Send Signed SAML Response to SP in .net core applications


Send Signed SAML Response to SP in .net core applications

Author
Message
HTestUser
HTestUser
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 5, Visits: 25
I have a requirement to send signed SAML response to SP through http post in .net core class library. we were able to do it in .net framework applications but couldn't make it in .net core applications.
       signedXml = signature.Generate(responseXml, certificate?.GetRSAPrivateKey(), SamlConstants.DigestAlgorithms.SHA256, SamlConstants.SignatureAlgorithms.RSA_SHA256, null, certificate);
looking for the equivalent method in .net core for the below code
   //  IdentityProvider.SendSAMLResponseByHTTPPost(response, destinationURL, signedXml, targetUrl);
Appreciate any help!!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
What you were using is part of the low-level SAML API. Our recommendation is to use the high-level API as this is much easier to use, is configuration driven, and requires less application code.

There are two APIs for sending SAML responses. ISamlIdentityProvider.InitiateSsoAsync sends a SAML response as part of IdP-initiated SSO. ISamlIdentityProvider.SendSsoAsync sends a SAML response as part of SP-initiated SSO.

The following code is from the ExampleIdentityProvider's SamlController.


public async Task<IActionResult> InitiateSingleSignOn()
{
  // Get the name of the logged in user.
  var userName = User?.Identity?.Name;

  // For demonstration purposes, include some claims.
  var attributes = new List<SamlAttribute>()
  {
   new SamlAttribute(ClaimTypes.Email, User?.FindFirst(ClaimTypes.Email)?.Value),
   new SamlAttribute(ClaimTypes.GivenName, User?.FindFirst(ClaimTypes.GivenName)?.Value),
   new SamlAttribute(ClaimTypes.Surname, User?.FindFirst(ClaimTypes.Surname)?.Value),
  };

  var partnerName = _configuration["PartnerName"];
  var relayState = _configuration["RelayState"];

  // Initiate single sign-on to the service provider (IdP-initiated SSO)
  // by sending a SAML response containing a SAML assertion to the SP.
  // The optional relay state normally specifies the target URL once SSO completes.
  await _samlIdentityProvider.InitiateSsoAsync(partnerName, userName, attributes, relayState);

  return new EmptyResult();
}

 

I recommend taking a look at this example project.

Also, take a look at the Examples Guide in the documentation folder. This walks you through this and the other projects.

The signing of the SAML response is specified through the SAML configuration and handled by the API. 

Regards
ComponentSpace Development
HTestUser
HTestUser
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 5, Visits: 25
ComponentSpace - 9/15/2022
What you were using is part of the low-level SAML API. Our recommendation is to use the high-level API as this is much easier to use, is configuration driven, and requires less application code.

There are two APIs for sending SAML responses. ISamlIdentityProvider.InitiateSsoAsync sends a SAML response as part of IdP-initiated SSO. ISamlIdentityProvider.SendSsoAsync sends a SAML response as part of SP-initiated SSO.

The following code is from the ExampleIdentityProvider's SamlController.


public async Task<IActionResult> InitiateSingleSignOn()
{
  // Get the name of the logged in user.
  var userName = User?.Identity?.Name;

  // For demonstration purposes, include some claims.
  var attributes = new List<SamlAttribute>()
  {
   new SamlAttribute(ClaimTypes.Email, User?.FindFirst(ClaimTypes.Email)?.Value),
   new SamlAttribute(ClaimTypes.GivenName, User?.FindFirst(ClaimTypes.GivenName)?.Value),
   new SamlAttribute(ClaimTypes.Surname, User?.FindFirst(ClaimTypes.Surname)?.Value),
  };

  var partnerName = _configuration["PartnerName"];
  var relayState = _configuration["RelayState"];

  // Initiate single sign-on to the service provider (IdP-initiated SSO)
  // by sending a SAML response containing a SAML assertion to the SP.
  // The optional relay state normally specifies the target URL once SSO completes.
  await _samlIdentityProvider.InitiateSsoAsync(partnerName, userName, attributes, relayState);

  return new EmptyResult();
}

 

I recommend taking a look at this example project.

Also, take a look at the Examples Guide in the documentation folder. This walks you through this and the other projects.

The signing of the SAML response is specified through the SAML configuration and handled by the API. 

Thank you for quickly responding.
I can make use of high level API as well but currently I have limitation to implement the functionality in class library where I can't make use of DI to inject ISamlIdentityProvider instance variable. 
Could you please let us know how to call InitiateSsoAsync method. Any sample code is appreciated!

Thank you!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
You could instantiate the SamlIdentityProvider class directly. However, its constructor requires you to construct a number of other instances.

I'm not sure why you can't use DI in your class library. It would be far easier to make use of DI for the instantiation of these classes.



Regards
ComponentSpace Development
HTestUser
HTestUser
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 5, Visits: 25
ComponentSpace - 9/15/2022
You could instantiate the SamlIdentityProvider class directly. However, its constructor requires you to construct a number of other instances.

I'm not sure why you can't use DI in your class library. It would be far easier to make use of DI for the instantiation of these classes.


How to validate or deal with the X509Certificate2 certificate here?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
The X.509 certificate used to sign the SAML response is specified through the SAML configuration.

I've included some of the SAML configuration from the ExampleIdentityProvider's appsettings.json below.


"SAML": {
  "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
  "Configurations": [
  {
   "LocalIdentityProviderConfiguration": {
      "Name": "https://ExampleIdentityProvider",
      "Description": "Example Identity Provider",
      "SingleSignOnServiceUrl": "https://localhost:44313/SAML/SingleSignOnService",
      "SingleLogoutServiceUrl": "https://localhost:44313/SAML/SingleLogoutService",
      "ArtifactResolutionServiceUrl": "https://localhost:44313/SAML/ArtifactResolutionService",
      "LocalCertificates": [
      {
        "FileName": "certificates/idp.pfx",
        "Password": "password"
      }
    ]
   },
   "PartnerServiceProviderConfigurations": [
    {
      "Name": "https://ExampleServiceProvider",
      "Description": "Example Service Provider",
      "WantAuthnRequestSigned": true,
      "SignSamlResponse": true,
      "EncryptAssertion": true,
      "SignLogoutRequest": true,
      "SignLogoutResponse": true,
      "WantLogoutRequestSigned": true,
      "WantLogoutResponseSigned": true,
      "AssertionConsumerServiceUrl": "https://localhost:44360/SAML/AssertionConsumerService",
      "SingleLogoutServiceUrl": "https://localhost:44360/SAML/SingleLogoutService",
      "ArtifactResolutionServiceUrl": "https://localhost:44360/SAML/ArtifactResolutionService",
      "PartnerCertificates": [
      {
        "FileName": "certificates/sp.cer"
      }
    ]
    },



The SignSamlReponse flag specifies that the SAML response will be signed. It's signed using the LocalCertificate (ie idp.pfx).



Regards
ComponentSpace Development
HTestUser
HTestUser
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 5, Visits: 25
ComponentSpace - 9/15/2022
The X.509 certificate used to sign the SAML response is specified through the SAML configuration.

I've included some of the SAML configuration from the ExampleIdentityProvider's appsettings.json below.


"SAML": {
  "$schema": "https://www.componentspace.com/schemas/saml-config-schema-v1.0.json",
  "Configurations": [
  {
   "LocalIdentityProviderConfiguration": {
      "Name": "https://ExampleIdentityProvider",
      "Description": "Example Identity Provider",
      "SingleSignOnServiceUrl": "https://localhost:44313/SAML/SingleSignOnService",
      "SingleLogoutServiceUrl": "https://localhost:44313/SAML/SingleLogoutService",
      "ArtifactResolutionServiceUrl": "https://localhost:44313/SAML/ArtifactResolutionService",
      "LocalCertificates": [
      {
        "FileName": "certificates/idp.pfx",
        "Password": "password"
      }
    ]
   },
   "PartnerServiceProviderConfigurations": [
    {
      "Name": "https://ExampleServiceProvider",
      "Description": "Example Service Provider",
      "WantAuthnRequestSigned": true,
      "SignSamlResponse": true,
      "EncryptAssertion": true,
      "SignLogoutRequest": true,
      "SignLogoutResponse": true,
      "WantLogoutRequestSigned": true,
      "WantLogoutResponseSigned": true,
      "AssertionConsumerServiceUrl": "https://localhost:44360/SAML/AssertionConsumerService",
      "SingleLogoutServiceUrl": "https://localhost:44360/SAML/SingleLogoutService",
      "ArtifactResolutionServiceUrl": "https://localhost:44360/SAML/ArtifactResolutionService",
      "PartnerCertificates": [
      {
        "FileName": "certificates/sp.cer"
      }
    ]
    },



The SignSamlReponse flag specifies that the SAML response will be signed. It's signed using the LocalCertificate (ie idp.pfx).


Can I configure Certificate Name , Partnername and etc in appsettings.json file dynamically through code as end user will provide details?
 Thank you
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)ComponentSpace Development (4.2K reputation)

Group: Administrators
Posts: 3K, Visits: 10K
Yes. Please refer to the Configuration Guide. There are several options for specifying configuration dynamically.

We include an implementation where the SAML configuration is stored in an Entity Framework database. You also have the option of storing configuration in a custom database etc.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search